From c65101a4e39eb5fce43d4e893d5cf7e1b60ef15f Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 20 Sep 2019 22:23:02 +0300
Subject: [PATCH] Small improvments to the nss-pam-ldapd image.

- Set the client configuration (/etc/ldap/ldap.conf) according to the
environment variables.
- Add LDAP_REQCERT environment variable to set the certificate
validation.
---
 nss-pam-ldapd/Dockerfile |  6 ++++--
 nss-pam-ldapd/README.md  |  1 +
 nss-pam-ldapd/entrypoint | 15 ++++++++++++++-
 3 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/nss-pam-ldapd/Dockerfile b/nss-pam-ldapd/Dockerfile
index 8bc9d87..b142eba 100644
--- a/nss-pam-ldapd/Dockerfile
+++ b/nss-pam-ldapd/Dockerfile
@@ -9,13 +9,15 @@ RUN apt-get update && \
     mkdir -p /run/nslcd && \
     chown -R nslcd:nslcd /run/nslcd/ && \
     sed -i 's/compat/compat ldap/g' /etc/nsswitch.conf && \
-    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/* /etc/nslcd.conf
+    apt-get clean && \
+    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /etc/nslcd.conf
 COPY --chown=root:root entrypoint /
 ENV LDAP_URIS=ldapi:/// \
     LDAP_AUTH_TYPE=none \
     LDAP_STARTTLS=false \
     LDAP_BASE_DN="dc=trusted" \
-    LDAP_CACERTFILE=/etc/ssl/certs/ca-certificates.crt
+    LDAP_CACERTFILE=/etc/ssl/certs/ca-certificates.crt \
+    LDAP_REQCERT=never
 ENTRYPOINT [ "/entrypoint" ]
 CMD [ "/usr/sbin/nslcd", "--nofork" ]
 HEALTHCHECK CMD pgrep nslcd || exit 1
diff --git a/nss-pam-ldapd/README.md b/nss-pam-ldapd/README.md
index 0b47ed7..45b0fbe 100644
--- a/nss-pam-ldapd/README.md
+++ b/nss-pam-ldapd/README.md
@@ -18,6 +18,7 @@ Name | Default value
 `LDAP_STARTTLS` | `false`
 `LDAP_BASE_DN` | `dc=trusted`
 `LDAP_CACERTFILE` | `/etc/ssl/certs/ca-certificates.crt`
+`LDAP_REQCERT` | `never`
 
 ## License
 
diff --git a/nss-pam-ldapd/entrypoint b/nss-pam-ldapd/entrypoint
index 356b649..8ba43f2 100755
--- a/nss-pam-ldapd/entrypoint
+++ b/nss-pam-ldapd/entrypoint
@@ -19,6 +19,19 @@ nslcd	nslcd/ldap-cacertfile	string	${LDAP_CACERTFILE:-}
 nslcd	nslcd/ldap-sasl-secprops	string	${LDAP_SASL_SECPROPS:-}
 EOF
 
-dpkg-reconfigure -f noninteractive nslcd
+DEBIAN_FRONTEND=noninteractive dpkg-reconfigure -f noninteractive nslcd
+
+cat << EOF | tee /etc/ldap/ldap.conf
+URI ${LDAP_URIS:-}
+BASE ${LDAP_BASE_DN:-}
+BINDDN ${LDAP_BINDDN:-}
+SASL_MECH ${LDAP_SASL_MECH:-}
+SASL_REALMa ${LDAP_SASL_REALM:-}
+SASL_AUTHCID ${LDAP_SASL_AUTHCID:-}
+SASL_AUTHZID ${LDAP_SASL_AUTHZID:-}
+SASL_SECPROPS ${LDAP_SASL_SECPROPS:-}
+TLS_CACERT  ${LDAP_SASL_SECPROPS:-}
+TLS_REQCERT ${LDAP_REQCERT:-}
+EOF
 
 eval exec gosu "nslcd:nslcd" "$@"
-- 
GitLab